Merge branch 'google:master' into CVE-2023-3776

.github/workflows/kernelctf-auto-releaser.yaml

@@ -0,0 +1,38 @@
+name: kernelCTF auto releaser
+on:
+  workflow_dispatch:
+  schedule:
+    - cron:  '0 12 * * *' # every day at 12:00 UTC
+permissions: {}
+defaults:
+  run:
+    shell: bash
+    working-directory: kernelctf
+jobs:
+  get_new_builds:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - name: Install prerequisites
+        run: sudo apt install -yq --no-install-recommends python3-lxml
+
+      - id: check
+        name: Check latest kernel versions
+        run: ./get_latest_kernel_versions.py
+    outputs:
+      releases: ${{ steps.check.outputs.releases }}
+
+  build_release:
+    needs: get_new_builds
+    if: fromJSON(needs.get_new_builds.outputs.releases)[0] != null
+    strategy:
+      matrix:
+        release: ${{ fromJSON(needs.get_new_builds.outputs.releases) }}
+      fail-fast: false # do not cancel other builds
+    uses: ./.github/workflows/kernelctf-release-build.yaml
+    secrets: inherit
+    with:
+      releaseId: ${{ matrix.release.releaseId }}
+      branch: ${{ matrix.release.branch }}

.github/workflows/kernelctf-release-build.yaml

@@ -0,0 +1,73 @@
+name: kernelCTF release build
+on:
+  workflow_dispatch:
+    inputs:
+      releaseId:
+        description: 'Release ID'
+        type: string
+        required: true
+      branch:
+        description: 'Branch, tag or commit'
+        type: string
+        required: false
+  workflow_call:
+    inputs:
+      releaseId:
+        type: string
+      branch:
+        type: string
+run-name: 'kernelCTF release: ${{inputs.releaseId}}'
+permissions: {}
+defaults:
+  run:
+    shell: bash
+    working-directory: kernelctf
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - name: Check release does not exist yet
+        run: curl --fail -I https://storage.googleapis.com/kernelctf-build/releases/${{inputs.releaseId}}/bzImage && exit 1 || true
+
+      - name: Install prerequisites
+        run: sudo apt install -yq --no-install-recommends build-essential flex bison bc ca-certificates libelf-dev libssl-dev cpio pahole
+
+      - name: Build
+        run: ./build_release.sh ${{inputs.releaseId}} ${{inputs.branch}}
+
+      - name: Show releases
+        run: find releases -type f|xargs ls -al
+
+      - name: Upload release artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: ${{inputs.releaseId}}
+          path: kernelctf/releases/${{inputs.releaseId}}
+          if-no-files-found: error
+
+  upload:
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Download exploit
+        uses: actions/download-artifact@v3
+        with:
+          name: ${{inputs.releaseId}}
+          path: ./kernelctf/releases/${{inputs.releaseId}}
+
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v1
+        with:
+          credentials_json: '${{secrets.KERNELCTF_GCS_SA_KEY}}'
+
+      - name: Upload release
+        uses: 'google-github-actions/upload-cloud-storage@v1'
+        with:
+          path: kernelctf/releases/${{inputs.releaseId}}
+          destination: kernelctf-build/releases
+          predefinedAcl: publicRead
+          gzip: false # most of the files are compressed already, do not compress them again
+          process_gcloudignore: false # removes warnings that .gcloudignore file does not exist

.github/workflows/kernelctf-submission-verification.yaml

@@ -21,16 +21,18 @@ jobs:
     outputs:
       targets: ${{ steps.check_submission.outputs.targets }}
       submission_dir: ${{ steps.check_submission.outputs.submission_dir }}
+      exploits_info: ${{ steps.check_submission.outputs.exploits_info }}
+      artifact_backup_dir: ${{ steps.check_submission.outputs.artifact_backup_dir }}
     steps:
       - run: pip install -U jsonschema
 
       - name: Checkout repo content
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           ref: master
 
       - name: Checkout PR content
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           path: pr
           ref: ${{ env.PR_REF }}
@@ -56,7 +58,7 @@ jobs:
       EXPLOIT_DIR: pr/pocs/linux/kernelctf/${{ needs.structure_check.outputs.submission_dir }}/exploit/${{ matrix.target }}
     steps:
       - name: Checkout PR content
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           path: pr
           ref: ${{ env.PR_REF }}
@@ -114,9 +116,14 @@ jobs:
     env:
       RELEASE_ID: ${{ matrix.target }}
       SUBMISSION_DIR: ${{ needs.structure_check.outputs.submission_dir }}
+      EXPLOIT_INFO: ${{ toJSON(fromJSON(needs.structure_check.outputs.exploits_info)[matrix.target]) }}
+    defaults:
+      run:
+        shell: bash
+        working-directory: ./kernelctf/repro/
     steps:
       - name: Checkout repo content
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           ref: master
 
@@ -133,79 +140,111 @@ jobs:
         uses: actions/download-artifact@v3
         with:
           name: exploit_${{ env.RELEASE_ID }}
-          path: exp/
+          path: ./kernelctf/repro/exp/
 
       - name: Fetch rootfs
         run: |
-          wget https://storage.googleapis.com/kernelctf-build/files/rootfs_repro_v1.img.gz
-          mv rootfs_repro_v1.img.gz rootfs.img.gz
+          wget -O rootfs.img.gz https://storage.googleapis.com/kernelctf-build/files/rootfs_repro_v2.img.gz
           gzip -d rootfs.img.gz
 
       - name: Download bzImage
         run: |
           if [ "$RELEASE_ID" == "mitigation-6.1" ]; then RELEASE_ID="mitigation-6.1-v2"; fi
           wget https://storage.googleapis.com/kernelctf-build/releases/$RELEASE_ID/bzImage
 
+      - name: List repro folder contents
+        run: ls -alR ./
+
       # ugly hack to make Github Actions UI to show repro logs separately in somewhat readable fashion
       - id: repro1
         name: Reproduction (1 / 10)
         continue-on-error: true
-        run: ./kernelctf/repro.sh 1
+        run: ./repro.sh 1
 
       - id: repro2
         name: Reproduction (2 / 10)
         continue-on-error: true
-        run: ./kernelctf/repro.sh 2
+        run: ./repro.sh 2
 
       - id: repro3
         name: Reproduction (3 / 10)
         continue-on-error: true
-        run: ./kernelctf/repro.sh 3
+        run: ./repro.sh 3
 
       - id: repro4
         name: Reproduction (4 / 10)
         continue-on-error: true
-        run: ./kernelctf/repro.sh 4
+        run: ./repro.sh 4
 
       - id: repro5
         name: Reproduction (5 / 10)
         continue-on-error: true
-        run: ./kernelctf/repro.sh 5
+        run: ./repro.sh 5
 
       - id: repro6
         name: Reproduction (6 / 10)
         continue-on-error: true
-        run: ./kernelctf/repro.sh 6
+        run: ./repro.sh 6
 
       - id: repro7
         name: Reproduction (7 / 10)
         continue-on-error: true
-        run: ./kernelctf/repro.sh 7
+        run: ./repro.sh 7
 
       - id: repro8
         name: Reproduction (8 / 10)
         continue-on-error: true
-        run: ./kernelctf/repro.sh 8
+        run: ./repro.sh 8
 
       - id: repro9
         name: Reproduction (9 / 10)
         continue-on-error: true
-        run: ./kernelctf/repro.sh 9
+        run: ./repro.sh 9
 
       - id: repro10
         name: Reproduction (10 / 10)
         continue-on-error: true
-        run: ./kernelctf/repro.sh 10
+        run: ./repro.sh 10
 
       - name: Upload repro QEMU logs as an artifact
         uses: actions/upload-artifact@v3
         with:
           name: repro_logs_${{ env.RELEASE_ID }}
-          path: repro_log_*.txt
+          path: ./kernelctf/repro/repro_log_*.txt
 
       - name: Reproduction // Summary
         env:
           STEPS: ${{ toJSON(steps) }}
         run: |
           echo $STEPS >> steps.json
-          ./kernelctf/repro_summary.py ${{ github.run_id }}
+          ../repro_summary.py ${{ github.run_id }}
+
+      - name: Upload repro summary as an artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: repro_summary_${{ env.RELEASE_ID }}
+          path: ./kernelctf/repro/repro_summary.md
+
+  backup_artifacts:
+    runs-on: ubuntu-latest
+    needs: [structure_check, exploit_build, exploit_repro]
+    if: always() && needs.structure_check.result == 'success'
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@v3
+        with:
+          path: ./artifacts
+
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v1
+        with:
+          credentials_json: '${{secrets.KERNELCTF_GCS_SA_KEY}}'
+
+      - name: Upload artifacts to GCS
+        uses: 'google-github-actions/upload-cloud-storage@v1'
+        with:
+          path: ./artifacts
+          destination: kernelctf-build/artifacts/${{ needs.structure_check.outputs.artifact_backup_dir }}_${{ github.run_id }}
+          parent: false
+          predefinedAcl: publicRead
+          process_gcloudignore: false # removes warnings that .gcloudignore file does not exist

.gitignore

@@ -0,0 +1,3 @@
+pocs/cpus/reptar/minimized/reptar.*.bin
+pocs/cpus/reptar/minimized/reptar.*.elf
+pocs/cpus/reptar/minimized/reptar.log

README.md

@@ -41,7 +41,7 @@ security vulnerabilities.
 | 2021 | Linux: KVM VM_IO\|VM_PFNMAP vma mishandling | [CVE-2021-22543](https://github.com/google/security-research/security/advisories/GHSA-7wq5-phmq-m584) | [PoC](pocs/linux/kvm_vma)
 | 2021 | BleedingTooth: Linux Bluetooth Zero-Click Remote Code Execution | [CVE-2020-24490](https://github.com/google/security-research/security/advisories/GHSA-ccx2-w2r4-x649), [CVE-2020-12351](https://github.com/google/security-research/security/advisories/GHSA-h637-c88j-47wq), [CVE-2020-12352](https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq) | [Write-up](https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.html), [PoC](pocs/linux/bleedingtooth)
 
-# Licence & Patents
+# License & Patents
 
 The advisories and patches posted here are free and open source.
 

kernelctf/.gitignore

@@ -0,0 +1,4 @@
+.cache/
+__pycache__/
+builds/
+releases/